Two-factor flaws and a plethora of bugs passed by the regulators.
The City of London has a well earnt reputation for dodging public scrutiny, courted over years of battles with regulators and British governments in which the moneymen tend to emerge at the top.
This is troubling enough when it comes to financial markets, but, as emerged last week, there is also evidence that finance is escaping proper scrutiny when it comes to IT – particularly with regard to its security.
Back in December 2013, an investigation by the security firm Bronzeye allegedly turned up 47 vulnerabilities in the systems of a big British bank, 22 of which were critical. Also found was a two-factor security flaw which allows hackers to monitor users’ activities and infiltrate banks undetected, akin to the tactics used by the Carbanak hacking group.
In the wake of last week’s reports, CBR learnt that a European bank is currently being attacked through this very method. Andrew Taylor, chief executive of Bronzeye, even suspects that any bank that uses two-factor could be vulnerable to the problem, potentially affecting everyone who banks in the UK.
More worrying than any of the above is that as Bronzeye attempted to tackle the problem, it claims to have been met with denial and distortion on the part of the bank, followed by complacency from the regulators. If this is the future of information security in finance, everyone should be concerned.
The claim that it took more than a year from Bronzeye’s approaching of the bank for this issue to surface would hardly be an uncommon lag in cybersecurity, where flaws can be exploited for months before anybody realises there is a problem, let alone gets around to addressing it.
Some of the vulnerabilities the security vendor says it found found concerned third-party vendors, which can often be used by hackers as a gateway into the main organisation. Taylor said: "The bank concerned has got issues with its third-party vendors generally. When we showed them all the vulnerabilities they gave all sorts of excuses."
According to a letter he sent to the whistleblowing desk of the Financial Conduct Authority (FCA), the bank refused to see the vulnerabilities Bronzeye wanted to show to them, claiming variously that responsibility lay with their third-party vendors, that a demonstration would disrupt banking operations, and simply that such problems did not exist.
"As soon as they realised what we could do they wouldn’t let us anywhere near their computers," Taylor said. "We understand that they don’t want someone claiming all of their IP, but at the same time if they have got a flaw they have got a flaw."
As a workaround Bronzeye said it attempted to configure its own website to demonstrate the flaw – their site having coincidentally been attacked on the same day as a meeting with the bank, according to Taylor. But even then the bank was not interested, and Bronzeye could not even begin to properly discuss the two-factor problem.
Meetings between the company and the bank continued fruitlessly throughout February 2014, according to Taylor, with Bronzeye’s concerns met with continued denial from the bank. During February, he also claimed to have met with the regulators to explain his worries, but this proved similarly unproductive.
Rather than treat Bronzeye as an outside consultant, the FCA and the Bank of England (BoE) insisted it be treated as a whistleblower, according to Taylor. "I think [the regulators are] interested, but they’re hampered by the stupid regulations," he said.
Contacted for comment by CBR, the FCA refused to respond to "this particular issue", instead preferring to direct us to general information of the government’s work on cybersecurity. The BoE was similarly unhelpful, whilst RBS, HSBC and Barclays all declined to comment.
"I suspect [the unnamed bank has] sorted out the other vulnerabilities, which sort of indicates they took our advice," Taylor said, adding that the recent attention to the alleged problems with two-factor flagged by him and the security vendor Kaspersky Lab, which produced the report on Carbanak, may have prompted action on that issue.
Yet even if the problems have been fixed, the silence from the FCA over the issue (despite its past diligence on other IT problems) and the behaviour of the bank should cause everybody to worry. Whilst customers rarely pay for the fraud itself the costs are borne by everyone in the form of higher charges for various services.
What is more the ability of a bank to duck the scrutiny of a regulator sets a disconcerting precedent for other critical industries facing cybersecurity problems. If a bank can leave the door unlocked, who else is exposed?